IN THE CLAIMS 



1 -21. (cancelled) 

22. (new) A method comprising: 

generating, by a first vulnerability analysis and fortification (VAF) agent operating in a 
hardware-based system, a first process representation of a first process, wherein the first process 
comprises a series of sequential operations that are represented by multiple nodes in the first 
process representation, and wherein the first VAF agent monitors the first process for security 
exposures; 

defining legal and illegal interfaces between the multiple nodes in the first process 
representation, wherein a legal interface between a first node and a second node in the first 
process representation reflects an authorization for operations represented by the first node and 
the second node to be linked, and wherein an illegal interface reflects a lack of authorization for 
operations represented by the first node and the second node to ever be directly linked; 

generating, by a second VAF agent, a second process representation of a second process; 

comparing nodes from the first process representation to nodes of the second process 
representation, wherein the second VAF agent monitors the second process for security 
exposures; and 

in response to the nodes of the first process representation matching nodes in the second 
process representation, sending an alert from the first VAF agent to the second VAF agent, 
wherein the alert identifies the illegal interfaces between nodes in the first process representation 
as potential illegal interfaces between nodes in the second process representation. 

23. (new) The method of claim 22, wherein the legal interface further reflects a requisite 
action in the first node that is required to reach the second node, and wherein the illegal interface 
■further reflects an absence of the requisite action in the first node. 

24. (new) The method of claim 23, wherein the legal interface further reflects a requisite 
return code being transmitted from the second node to the first node, wherein the requisite return 
code is transmitted in response to a password being sent from the first node to the second node. 
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25. (new) The method of claim 22, further comprising: 

in response to the first VAF agent detecting the illegal interface, creating, by the first 
VAF agent, a security patch that prohibits the first node from being linked to the second node; 
and 

transmitting the security patch from the first VAF agent to the second VAF agent. 

26. (new) The method of claim 22, wherein the first process and the second process are 
component parts of a single distributed software system. 

27. (new) The method of claim 22, wherein the first process representation and the second 
process representation are respectively derived from an extensible markup language (XML) 
description of the first process and the second process. 

28. (new) The method of claim 27, wherein the XML description of the first process is 
stored in a security server that is protected by a first firewall detection system, and wherein the 
XML description of the second process is stored in the security server and is protected by a 
different second firewall detection system. 

29. (new) The method of claim 22, wherein the method described in claim 22 is embodied 
as an add-on software component, the method further comprising: 

adding the add-on software component to an enterprise solution before shipping the 
enterprise software solution to a customer, wherein die enterprise solution is based on the first 
process. 

30. (new) The method of claim 22, wherein the first VAF agent and the second VAF agent 
are controlled by a single VAF tool. 

31. (new) The method of claim 22, wherein the first process representation and the second 
process representation are depicted as graphs. 
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32. (new) A computer program product comprising a computer readable storage medium 
embodied therewith, the computer readable storage medium comprising: 

computer readable program code configured to generate, by a first vulnerability analysis 
and fortification (VAF) agent operating in a hardware-based system, a first process 
representation of a first process, wherein the first process comprises a series of operations that 
are represented by multiple nodes in the first process representation, and wherein the first VAF 
agent monitors the first process for security exposures; 

computer readable program code configured to define legal and illegal interfaces between 
the multiple nodes in the first process representation, wherein a legal interface between a first 
node and a second node in the first process representation reflects an authorization for operations 
represented by the first node and the second node to be linked, and wherein an illegal interface 
reflects a lack of authorization for operations represented by the first node and the second node 
to be directly linked; 

computer readable program code configured to generate, by a second VAF agent, a 
second process representation of a second process; 

computer readable program code configured to compare nodes from the first process 
representation to nodes of the second process representation, wherein the second VAF agent 
monitors the second process for security exposures; and 

computer readable program code configured to, in response to the nodes of the first 
process representation matching nodes in the second process representation, send an alert from 
the first VAF agent to the second VAF agent, wherein the alert identifies the illegal interfaces 
between nodes in the first process representation as potential illegal interfaces between nodes in 
the second process representation, 

33. (new) The computer program product of claim 32, wherein the legal interface further 
reflects a requisite action in the first node that is required to reach the second node, and wherein 
the illegal interface further reflects an absence of the requisite action in the first node. 

34. (new) The computer program product of claim 33, wherein the legal interface further 
reflects a requisite return code being transmitted from the second node to the first node, wherein 
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the requisite return code is transmitted in response to a password being sent from the first node to 
the second node. 

36. (new) The computer program product of claim 32, wherein the first process and the 
second process are component parts of a single distributed software system. 

37. (new) The computer program product of claim 32, wherein the computer program 
product is an add-on software component, the computer program product further comprising: 

computer readable program code configured to add the add-on software component to an 
enterprise solution before shipping the enterprise software solution to a customer. 

38. (new) The computer program product of claim 32, wherein the first VAF agent and the 
second VAF agent are controlled by a single VAF tool. 

39. (new) A system comprising: 

a central processing unit (CPU), a computer readable memory, and a computer readable 
storage media; 

first program instructions for generating, by a first vulnerability analysis and fortification 
(VAF) agent operating in a hardware-based system, a first process representation of a first 
process, wherein the first process comprises a series of sequential operations that are represented 
by multiple nodes in the first process representation, and wherein the first VAF agent monitors 
the first process for security exposures; 

second program instructions for defining legal and illegal interfaces between the multiple 
nodes in the first process representation, wherein a legal interface between a first node and a 
second node in the first process representation reflects an authorization for operations 
represented by the first node and the second node to always be linked, and wherein an illegal 
interface reflects a lack of authorization for operations represented by the first node and the 
second node to ever be directly linked; 

third program instructions for generating, by a second VAF agent, a second process 
representation of a second process; 
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fourth program instructions for comparing nodes from the first process representation to 
nodes of the second process representation, wherein the second VAF agent monitors the second 
process for security exposures; and 

fifth program instructions for, in response to the nodes of the first process representation 
matching nodes in the second process representation, sending an alert from the first VAF agent 
to the second VAF agent, wherein the alert identifies the illegal interfaces between nodes in the 
first process representation as potential illegal interfaces between nodes in the second process 
representation, and wherein 

said first, second, third, fourth and fifth program instructions are stored on said computer 
readable storage media for execution by said CPU via said computer readable memory. 

40. (new) The system of claim 39, wherein the first process and the second process are 
component parts of a single distributed software system. 

41. (new) The system of claim 39, wherein the first VAF agent and the second VAF agent 
are controlled by a single VAF tool. 
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